The HTTP header is named Authorization and value is the concatenated values of:
- Your Principal ID
- A Timestamp
- A Signature Token
The values are separated by pipe characters, i.e.,
| . Example:
Request Header Parameters
||This is your principal ID.|
||An ISO-8601 formatted date using GMT time. This parameter must be within 5 minutes of the time on the Eventing server, which your application can verified with a GET request to the unauthenticated
||A signature hash generated from the payload and shared secret using the CMAC algorithm. See the next section.|
All parameters are required.
The signature token is generated using some set of parameter values and creating a CMAC algorithm hash from them along with the secret key provided when you got your principal.
The parameters you'll use for the token base string differ for each type of subscription API request. Refer to the API reference for the correct values to use.
Example Token Creation: Payload
For the example, this is the payload for the Create Subscription request. Note the values are bolded for easy identification, and this API requires the values be URL encoded.
Example Token Creation: Base String
The base string is the un-encoded, un-hashed values that will be combined with a secret to create the signature token. For the Create Subscription Request above, the base string looks like this. See the API Reference for more specifics.
The base string is prefixed with timestamp to create the full value to be combined with a secret to create the token.
Example Token Creation: Hashed Values
The full base string (with timestamp) is put through a CMAC algorithm with your secret key. The resulting hash is the signature token. A secret key of
1234567890123456 applied to the example base string produces:
Example Authorization Header (Complete)
Then append the signature token to the HTTP Header value as described above.
The authorization parameter may be sent differently in existing clients, but these methods will not be supported in the future.
AUTHORIZATIONform parameter was previously used in
POSTrequests, but is not necessary now.
Authorizationquery string parameter was previously accepted as an alternate for
DELETErequests, but is not necessary now.